Instagram has reported to a few of its users that their password information may have been compromised due to a bug in the new 'Download Your Data' tool. Instagram has confirmed that the URL shared while using the tool included the user's password information as well, something that should not be the case. If this tool was used on a shared computer, this password information in the URL could potentially lead to misuse. The company notes that it has already fixed the bug, but recommends users to change their passwords nevertheless.
The 'download your data' feature was launched in April and it lets users export their photos, videos, archived Stories, profile, info, comments, and non-ephemeral messages. This tool gathers all your data, makes it ready for download, and then sends the user a link via email, clicking which will enable users to download all their Instagram data. Due to the security bug, the link also included the users' account password information erroneously, compromising the user's privacy. The Information reports that an Instagram spokesperson had confirmed that the issue was "discovered internally and affected a very small number of people."
While the link was shared to the user privately via email, if this link was accessed via a public or shared computer, it could risk the users' account credentials being compromised. Instagram says that it has already fixed the issue at hand. "If someone submitted their login information to use the Instagram 'Download Your Data' tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens," and Instagram spokesperson told The Verge.
Even though the issue is fixed, a security researcher cited by The Information brings to light a larger issue with the bug, saying it would only have been possible if Instagram stored users' passwords in plain text format. The Instagram spokesperson disputed this claim saying that the company hashes and salts its stored passwords. While Instagram says that the issue has affected a very small number of people, we recommend that you change your password immediately, and use the data download tool with caution.